Re: [PATCH V2] aacraid: Check size values after double-fetch from user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 05, 2016 at 01:44:10PM -0600, Dave Carroll wrote:
>  In aacraid's ioctl_send_fib() we do two fetches from userspace, one 
>  the get the fib header's size and one for the fib itself. Later we use 
>  the size field from the second fetch to further process the fib. If 
>  for some reason the size from the second fetch is different than from 
>  the first fix, we may encounter an out-of- bounds access in 
>  aac_fib_send(). We also check the sender size to insure it is not
>  out of bounds. This was reported in
>  https://bugzilla.kernel.org/show_bug.cgi?id=116751 and was assigned
>  CVE- 2016-6480.
>  
> Reported-by: Pengfei Wang <wpengfeinudt@xxxxxxxxx>
> Fixes: 7c00ffa31 '[SCSI] 2.6 aacraid: Variable FIB size (updated patch)'
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Dave Carroll <david.carroll@xxxxxxxxxxxxx>

Thanks Dave,

Reviewed-by: Johannes Thumshirn <jthumshirn@xxxxxxx>

-- 
Johannes Thumshirn                                          Storage
jthumshirn@xxxxxxx                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]